DHS still gearing up response to cyberthreats
Connecting state and local government leaders
The nation faces a real threat to its critical infrastructure while the Homeland Security Department still struggles to develop the systems needed to assess and respond to those risks, the department's head of cybersecurity said today.
The nation faces a real threat to its critical infrastructure while the Homeland Security Department still struggles to develop the systems needed to assess and respond to those risks, the department's head of cybersecurity said today.
'We believe there is a significant cyber-risk in this country,' Andy Purdy, acting director of the National Cyber Security Division, said at the 2006 International Conference on Network Security, being held in Reston, Va. 'We can take no solace from the fact that we haven't seen the attacks yet.'
As the lead agency for IT security, DHS is the point of contact for collaboration with the IT industry in the development of a risk management plan as part of the national infrastructure protection plan. But critics have complained that cybersecurity has been too low a priority within the department. A newly created assistant secretary position would help to address this issue, but that office has yet to be filled.
'Homeland Security is working with the White House on coming up with a candidate,' Purdy said. He said an announcement is expected 'in the near future.'
The two great challenges for DHS now in IT security are developing a national cyber-response system to provide risk management for IT threats, and developing a process for sharing information about threats and vulnerabilities among agencies and with the private sector.
The problem right now is not a lack of information, but a lack of organization, Purdy said. 'There are so many players, so many different people doing different things,' he said.
Lack of communication has long been a problem in IT security. Information about threats and vulnerabilities often is seen as proprietary and sensitive, and owners within and outside of government tend to hold on to the information as long as possible.
Some elements of a system for sharing information already are in place, such as a host of industry-specific information sharing and analysis centers which communicate with lead government agencies for their sectors. But many in the private sector still are leery about sharing information with the government and there is no system to coordinate information sharing between industry sectors and various federal agencies. Also lacking is an engine for collating this data so that it can become useful intelligence.
Some in Purdy's audience were skeptical of Homeland Security's ability to create a risk analysis system without comprehensive reporting requirements used by other departments to produce useful statistics. Purdy acknowledged this difficulty and said DHS still is waiting on a comprehensive data collection system.
NEXT STORY: Cross-Agency Exercise Proves HSPD-12 Model